Windows Analysis Report
Copy#51007602.exe

Overview

General Information

Sample name: Copy#51007602.exe
Analysis ID: 1448039
MD5: d503277ebd054e3a3ccfe906cac2e6d8
SHA1: f209eb92df97e2569897f5da1097ae0d5b8d4bdb
SHA256: 7c9fb1f9b7c24c9e0608af47b246b224e295ebc18aecfee6a104a7046d9db19a
Tags: AgentTeslaexe
Infos:

Detection

AgentTesla, PureLog Stealer
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic
Yara detected AgentTesla
Yara detected AntiVM3
Yara detected PureLog Stealer
.NET source code contains potential unpacker
AI detected suspicious sample
Drops large PE files
Injects a PE file into a foreign processes
Machine Learning detection for dropped file
Machine Learning detection for sample
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal ftp login credentials
Tries to steal Mail credentials (via file / registry access)
Yara detected Costura Assembly Loader
Yara detected Generic Downloader
Allocates memory with a write watch (potentially for evading sandboxes)
Contains functionality for execution timing, often used to detect debuggers
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Drops PE files
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
May check the online IP address of the machine
May sleep (evasive loops) to hinder dynamic analysis
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
PE / OLE file has an invalid certificate
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sample file is different than original file name gathered from version info
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Suspicious Outbound SMTP Connections
Uses 32bit PE files
Uses SMTP (mail sending)
Uses a known web browser user agent for HTTP communication
Uses code obfuscation techniques (call, push, ret)
Yara detected Credential Stealer
Yara signature match

Classification

Name Description Attribution Blogpost URLs Link
Agent Tesla, AgentTesla A .NET based information stealer readily available to actors due to leaked builders. The malware is able to log keystrokes, can access the host's clipboard and crawls the disk for credentials or other valuable information. It has the capability to send information back to its C&C via HTTP(S), SMTP, FTP, or towards a Telegram channel.
  • SWEED
 https://malpedia.caad.fkie.fraunhofer.de/details/win.agent_tesla

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Roaming\itdtn.exe Avira: detection malicious, Label: HEUR/AGEN.1332199
Found malware configuration
Source: 4.2.itdtn.exe.506b9a8.11.raw.unpack Malware Configuration Extractor: Agenttesla {"Exfil Mode": "SMTP", "Port": "587", "Host": "jahnindustry.shop", "Username": "sendanell@jahnindustry.shop", "Password": "WmfkJ55yPdtj"}
Multi AV Scanner detection for submitted file
Source: Copy#51007602.exe Virustotal: Detection: 28% Perma Link
Source: Copy#51007602.exe ReversingLabs: Detection: 15%
AI detected suspicious sample
Source: Submited Sample Integrated Neural Analysis Model: Matched 99.5% probability
Machine Learning detection for dropped file
Source: C:\Users\user\AppData\Roaming\itdtn.exe Joe Sandbox ML: detected
Machine Learning detection for sample
Source: Copy#51007602.exe Joe Sandbox ML: detected
Uses 32bit PE files
Source: Copy#51007602.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49714 version: TLS 1.2
Source: Copy#51007602.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2126157017.0000000005510000.00000004.08000000.00040000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004F89000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.000000000357C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2126157017.0000000005510000.00000004.08000000.00040000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004F89000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.000000000357C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp
Found inlined nop instructions (likely shell or obfuscated code)
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 0_2_0548D9B8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05508112
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_05508118
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 0_2_055080D2
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4x nop then mov dword ptr [ebp-20h], 00000000h 4_2_05D2D9B8
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 4_2_05E17BF3
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4x nop then cmp dword ptr [ebp-20h], 00000000h 4_2_05E17BF8

Networking
barindex
Snort IDS alert for network traffic
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49705 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49705 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49705 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49705 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49705 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2855542 ETPRO TROJAN Agent Tesla CnC Exfil Activity 192.168.2.5:49715 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2855245 ETPRO TROJAN Agent Tesla Exfil via SMTP 192.168.2.5:49715 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2851779 ETPRO TROJAN Agent Tesla Telegram Exfil 192.168.2.5:49715 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2840032 ETPRO TROJAN Win32/AgentTesla/OriginLogger Data Exfil via SMTP M2 192.168.2.5:49715 -> 66.29.151.236:587
Source: Traffic Snort IDS: 2030171 ET TROJAN AgentTesla Exfil Via SMTP 192.168.2.5:49715 -> 66.29.151.236:587
Yara detected Generic Downloader
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 66.29.151.236:587
IP address seen in connection with other malware
Source: Joe Sandbox View IP Address: 66.29.151.236 66.29.151.236
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Source: Joe Sandbox View IP Address: 104.26.13.205 104.26.13.205
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: ADVANTAGECOMUS ADVANTAGECOMUS
JA3 SSL client fingerprint seen in connection with other malware
Source: Joe Sandbox View JA3 fingerprint: 3b5074b1b5d032e5620f69f9f700ff0e
May check the online IP address of the machine
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Source: unknown DNS query: name: api.ipify.org
Uses SMTP (mail sending)
Source: global traffic TCP traffic: 192.168.2.5:49705 -> 66.29.151.236:587
Uses a known web browser user agent for HTTP communication
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic HTTP traffic detected: GET / HTTP/1.1User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:99.0) Gecko/20100101 Firefox/99.0Host: api.ipify.orgConnection: Keep-Alive
Source: global traffic DNS traffic detected: DNS query: api.ipify.org
Source: global traffic DNS traffic detected: DNS query: jahnindustry.shop
Source: Copy#51007602.exe, 00000002.00000002.3235618888.0000000003307000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000005.00000002.3236815937.0000000003347000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://jahnindustry.shop
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000002.00000002.3235618888.0000000003291000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.000000000357C000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000005.00000002.3236815937.00000000032DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name
Source: Copy#51007602.exe, 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000005056000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003633000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000005.00000002.3231826482.000000000042F000.00000040.00000400.00020000.00000000.sdmp String found in binary or memory: https://account.dyn.com/
Source: Copy#51007602.exe, 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000002.00000002.3235618888.0000000003291000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000005056000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003633000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000005.00000002.3231826482.000000000042F000.00000040.00000400.00020000.00000000.sdmp, itdtn.exe, 00000005.00000002.3236815937.00000000032DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org
Source: Copy#51007602.exe, 00000002.00000002.3235618888.0000000003291000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000005.00000002.3236815937.00000000032DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/
Source: Copy#51007602.exe, 00000002.00000002.3235618888.0000000003291000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000005.00000002.3236815937.00000000032DC000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://api.ipify.org/t
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-net
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-netJ
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://github.com/mgravell/protobuf-neti
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/11564914/23354;
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.00000000034EF000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/14436606/23354
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp String found in binary or memory: https://stackoverflow.com/q/2152978/23354
Source: unknown Network traffic detected: HTTP traffic on port 49704 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 49714 -> 443
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49704
Source: unknown Network traffic detected: HTTP traffic on port 443 -> 49714
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49704 version: TLS 1.2
Source: unknown HTTPS traffic detected: 104.26.13.205:443 -> 192.168.2.5:49714 version: TLS 1.2

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: 4.2.itdtn.exe.506b9a8.11.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 4.2.itdtn.exe.506b9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE Matched rule: Detects executables referencing Windows vault credential objects. Observed in infostealers Author: ditekSHen
Drops large PE files
Source: C:\Users\user\Desktop\Copy#51007602.exe File dump: itdtn.exe.0.dr 293997803 Jump to dropped file
Detected potential crypto function
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F150C8 0_2_00F150C8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F1B1A7 0_2_00F1B1A7
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F1C5C4 0_2_00F1C5C4
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F18AF0 0_2_00F18AF0
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F16C6C 0_2_00F16C6C
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F150B8 0_2_00F150B8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F18838 0_2_00F18838
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F18828 0_2_00F18828
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F1880F 0_2_00F1880F
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F18ADF 0_2_00F18ADF
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04ED06D8 0_2_04ED06D8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04ED06D5 0_2_04ED06D5
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04EF183F 0_2_04EF183F
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04EF2E58 0_2_04EF2E58
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04EF1B77 0_2_04EF1B77
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F16E58 0_2_04F16E58
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F17B31 0_2_04F17B31
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F16338 0_2_04F16338
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F16E48 0_2_04F16E48
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F137AE 0_2_04F137AE
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F1807E 0_2_04F1807E
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F1705C 0_2_04F1705C
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F10040 0_2_04F10040
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F10006 0_2_04F10006
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F16991 0_2_04F16991
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F11AA0 0_2_04F11AA0
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F11A90 0_2_04F11A90
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04F16328 0_2_04F16328
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0547DDD8 0_2_0547DDD8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05470808 0_2_05470808
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0547D8C0 0_2_0547D8C0
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0547FA80 0_2_0547FA80
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0547DDC9 0_2_0547DDC9
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05471D94 0_2_05471D94
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0547D8B1 0_2_0547D8B1
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0547FA50 0_2_0547FA50
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0548F108 0_2_0548F108
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05480040 0_2_05480040
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05480006 0_2_05480006
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_055091A2 0_2_055091A2
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05508F43 0_2_05508F43
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05508BB8 0_2_05508BB8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05508BA8 0_2_05508BA8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0572C858 0_2_0572C858
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_05710040 0_2_05710040
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0571003B 0_2_0571003B
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_0571001F 0_2_0571001F
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_030FE648 2_2_030FE648
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_030FAA28 2_2_030FAA28
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_030F4A98 2_2_030F4A98
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_030F3E80 2_2_030F3E80
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_030F41C8 2_2_030F41C8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDA178 2_2_06FDA178
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE6600 2_2_06FE6600
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE55B0 2_2_06FE55B0
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FEB250 2_2_06FEB250
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE2388 2_2_06FE2388
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FEC190 2_2_06FEC190
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE7D90 2_2_06FE7D90
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE76B0 2_2_06FE76B0
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FEE3B0 2_2_06FEE3B0
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE0040 2_2_06FE0040
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE5D08 2_2_06FE5D08
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FE0007 2_2_06FE0007
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F6B1A7 4_2_02F6B1A7
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F6C5C4 4_2_02F6C5C4
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F68AF0 4_2_02F68AF0
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F66C6C 4_2_02F66C6C
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F650C8 4_2_02F650C8
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F650B8 4_2_02F650B8
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F626BA 4_2_02F626BA
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F68ADF 4_2_02F68ADF
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F68838 4_2_02F68838
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F6880F 4_2_02F6880F
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F65ED7 4_2_02F65ED7
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B01847 4_2_05B01847
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B02E58 4_2_05B02E58
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B01B77 4_2_05B01B77
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B26E58 4_2_05B26E58
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B27B31 4_2_05B27B31
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B26338 4_2_05B26338
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B26E48 4_2_05B26E48
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B20006 4_2_05B20006
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B28077 4_2_05B28077
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B2705C 4_2_05B2705C
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B20040 4_2_05B20040
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B26328 4_2_05B26328
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B21AA0 4_2_05B21AA0
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B21A90 4_2_05B21A90
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05D1E780 4_2_05D1E780
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05D11BF8 4_2_05D11BF8
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05D2F108 4_2_05D2F108
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05D20040 4_2_05D20040
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05D2001D 4_2_05D2001D
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05E18688 4_2_05E18688
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05E18698 4_2_05E18698
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05FCC858 4_2_05FCC858
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05FB0040 4_2_05FB0040
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05FB0006 4_2_05FB0006
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_01ACE639 5_2_01ACE639
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_01AC4A98 5_2_01AC4A98
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_01ACAA22 5_2_01ACAA22
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_01AC3E80 5_2_01AC3E80
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_01AC41C8 5_2_01AC41C8
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FEA178 5_2_06FEA178
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF6600 5_2_06FF6600
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF55B0 5_2_06FF55B0
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FFB23F 5_2_06FFB23F
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF3070 5_2_06FF3070
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FFC190 5_2_06FFC190
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF7D90 5_2_06FF7D90
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF76B0 5_2_06FF76B0
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FFE3B0 5_2_06FFE3B0
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF2378 5_2_06FF2378
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF0040 5_2_06FF0040
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF5CF7 5_2_06FF5CF7
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF0037 5_2_06FF0037
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FF0017 5_2_06FF0017
PE / OLE file has an invalid certificate
Source: Copy#51007602.exe Static PE information: invalid certificate
Sample file is different than original file name gathered from version info
Source: Copy#51007602.exe, 00000000.00000002.2123443818.00000000050D0000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameRamobntk.dll" vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2108786993.00000000009CE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclr.dllT vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002A05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameclrjit.dllT vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002A05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilename vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002A05000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: $]q,\\StringFileInfo\\040904B0\\OriginalFilename vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameRamobntk.dll" vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameea41cd90-05ce-41ae-8370-da9b61ece0fb.exe4 vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2126157017.0000000005510000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameMicrosoft.Win32.TaskScheduler.dll\ vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameea41cd90-05ce-41ae-8370-da9b61ece0fb.exe4 vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: OriginalFilenameprotobuf-net.dllJ vs Copy#51007602.exe
Source: Copy#51007602.exe, 00000002.00000002.3232483832.0000000001389000.00000004.00000010.00020000.00000000.sdmp Binary or memory string: OriginalFilenameUNKNOWN_FILET vs Copy#51007602.exe
Source: Copy#51007602.exe Binary or memory string: OriginalFilenameDoc.exe> vs Copy#51007602.exe
Uses 32bit PE files
Source: Copy#51007602.exe Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, 32BIT_MACHINE
Yara signature match
Source: 4.2.itdtn.exe.506b9a8.11.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 4.2.itdtn.exe.506b9a8.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE Matched rule: INDICATOR_SUSPICIOUS_EXE_VaultSchemaGUID author = ditekSHen, description = Detects executables referencing Windows vault credential objects. Observed in infostealers
Source: classification engine Classification label: mal100.troj.spyw.evad.winEXE@6/3@2/2
Source: C:\Users\user\Desktop\Copy#51007602.exe File created: C:\Users\user\AppData\Roaming\itdtn.exe Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Mutant created: NULL
Source: Copy#51007602.exe Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
Source: Copy#51007602.exe Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 50.01%
Source: C:\Users\user\Desktop\Copy#51007602.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Copy#51007602.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\itdtn.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\itdtn.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\Desktop\Copy#51007602.exe File read: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: Copy#51007602.exe Virustotal: Detection: 28%
Source: Copy#51007602.exe ReversingLabs: Detection: 15%
Source: C:\Users\user\Desktop\Copy#51007602.exe File read: C:\Users\user\Desktop\Copy#51007602.exe Jump to behavior
Source: unknown Process created: C:\Users\user\Desktop\Copy#51007602.exe "C:\Users\user\Desktop\Copy#51007602.exe"
Source: C:\Users\user\Desktop\Copy#51007602.exe Process created: C:\Users\user\Desktop\Copy#51007602.exe "C:\Users\user\Desktop\Copy#51007602.exe"
Source: unknown Process created: C:\Users\user\AppData\Roaming\itdtn.exe "C:\Users\user\AppData\Roaming\itdtn.exe"
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process created: C:\Users\user\AppData\Roaming\itdtn.exe "C:\Users\user\AppData\Roaming\itdtn.exe"
Source: C:\Users\user\Desktop\Copy#51007602.exe Process created: C:\Users\user\Desktop\Copy#51007602.exe "C:\Users\user\Desktop\Copy#51007602.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process created: C:\Users\user\AppData\Roaming\itdtn.exe "C:\Users\user\AppData\Roaming\itdtn.exe" Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: mscoree.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: version.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: vcruntime140_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: ucrtbase_clr0400.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: wbemcomn.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: rasapi32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: rasman.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: rtutils.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: winhttp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: ondemandconnroutehelper.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: winnsi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: secur32.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: schannel.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: mskeyprotect.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: ncryptsslp.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: vaultcli.dll Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Outlook\Profiles Jump to behavior
Source: Copy#51007602.exe Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR
Source: Copy#51007602.exe Static PE information: Virtual size of .text is bigger than: 0x100000
Source: Copy#51007602.exe Static file information: File size 2696656 > 1048576
Source: Copy#51007602.exe Static PE information: Raw size of .text is bigger than: 0x100000 < 0x267400
Source: Copy#51007602.exe Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdbSHA256e source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2126157017.0000000005510000.00000004.08000000.00040000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004F89000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.000000000357C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\dahall\Documents\GitHubRepos\TaskScheduler\TaskService\obj\Release\net40\Microsoft.Win32.TaskScheduler.pdb source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002CEE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2126157017.0000000005510000.00000004.08000000.00040000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004F89000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2235868873.0000000004FE0000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.000000000357C000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdbSHA256}Lq source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: protobuf-net.pdb source: Copy#51007602.exe, 00000000.00000002.2114770908.00000000045F2000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2114770908.00000000046BE000.00000004.00000800.00020000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2123138110.0000000004F30000.00000004.08000000.00040000.00000000.sdmp, Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation
barindex
.NET source code contains potential unpacker
Source: 0.2.Copy#51007602.exe.466e210.5.raw.unpack, TypeModel.cs .Net Code: TryDeserializeList
Source: 0.2.Copy#51007602.exe.466e210.5.raw.unpack, ListDecorator.cs .Net Code: Read
Source: 0.2.Copy#51007602.exe.466e210.5.raw.unpack, TypeSerializer.cs .Net Code: CreateInstance
Source: 0.2.Copy#51007602.exe.466e210.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateInstance
Source: 0.2.Copy#51007602.exe.466e210.5.raw.unpack, TypeSerializer.cs .Net Code: EmitCreateIfNull
Yara detected Costura Assembly Loader
Source: Yara match File source: 4.2.itdtn.exe.4cce790.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.4ca6770.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.45de7d0.10.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.4d1e7b0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.4dbe7d0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.453e7b0.12.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.44ee790.13.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.4ca6770.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.2c267d0.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.4cce790.10.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.3427aac.2.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.3427aac.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.2c267d0.2.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.44c6770.7.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.5400000.16.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.44ee790.13.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.44c6770.7.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000004.00000002.2235868873.0000000004CA6000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114770908.00000000045DE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2235868873.0000000004DBE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2235868873.0000000004D1E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2125383195.0000000005400000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2235868873.0000000004CCE000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114770908.0000000004391000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 2604, type: MEMORYSTR
Uses code obfuscation techniques (call, push, ret)
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_00F13651 push eax; retf 0_2_00F1365D
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 0_2_04EFFAC4 push es; iretd 0_2_04EFFAC7
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FD5150 push es; ret 2_2_06FD5160
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFBDD push es; iretd 2_2_06FDFBE0
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFBCD push es; iretd 2_2_06FDFBDC
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFBC9 push es; iretd 2_2_06FDFBCC
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB99 push es; iretd 2_2_06FDFBC8
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB7D push es; iretd 2_2_06FDFB88
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB71 push es; iretd 2_2_06FDFB7C
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB6D push es; iretd 2_2_06FDFB70
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB55 push es; iretd 2_2_06FDFB5C
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB49 push es; iretd 2_2_06FDFB54
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB44 push es; iretd 2_2_06FDFB48
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB21 push es; iretd 2_2_06FDFB24
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB1D push es; iretd 2_2_06FDFB20
Source: C:\Users\user\Desktop\Copy#51007602.exe Code function: 2_2_06FDFB10 push es; iretd 2_2_06FDFB1C
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_02F63651 push eax; retf 4_2_02F6365D
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B0FAC4 push es; iretd 4_2_05B0FAC7
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 4_2_05B28070 push es; ret 4_2_05B28076
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FE5150 push es; ret 5_2_06FE5160
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FEFBCD push es; iretd 5_2_06FEFBDC
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FEFB44 push es; iretd 5_2_06FEFB48
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FEFB10 push es; iretd 5_2_06FEFB1C
Drops PE files
Source: C:\Users\user\Desktop\Copy#51007602.exe File created: C:\Users\user\AppData\Roaming\itdtn.exe Jump to dropped file
Source: C:\Users\user\Desktop\Copy#51007602.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run itdtn Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run itdtn Jump to behavior
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Users\user\Desktop\Copy#51007602.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\AutoUpdate Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Registry key monitored for changes: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process information set: NOOPENFILEERRORBOX Jump to behavior

Malware Analysis System Evasion
barindex
Yara detected AntiVM3
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 2604, type: MEMORYSTR
Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Copy#51007602.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Source: C:\Users\user\AppData\Roaming\itdtn.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_NetworkAdapterConfiguration
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: Copy#51007602.exe, 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBIEDLL.DLL0SELECT * FROM WIN32_BIOS8UNEXPECTED WMI QUERY FAILURE
Allocates memory with a write watch (potentially for evading sandboxes)
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 2990000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: E30000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 6290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 5560000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 7290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 19290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 30F0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 3290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: 5290000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Memory allocated: 2F60000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Memory allocated: 3170000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Memory allocated: 2F80000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Memory allocated: 1AC0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Memory allocated: 32D0000 memory reserve | memory write watch Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Memory allocated: 52D0000 memory reserve | memory write watch Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FE7D9B rdtsc 5_2_06FE7D9B
Contains long sleeps (>= 3 min)
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
Source: C:\Users\user\Desktop\Copy#51007602.exe Window / User API: threadDelayed 1146 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Window / User API: threadDelayed 2238 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Window / User API: threadDelayed 2891 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Window / User API: threadDelayed 696 Jump to behavior
May sleep (evasive loops) to hinder dynamic analysis
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 3144 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -9223372036854770s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 4836 Thread sleep count: 1146 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99891s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 4836 Thread sleep count: 2238 > 30 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99782s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99657s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99532s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99313s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99188s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -99063s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98938s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98797s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98687s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98577s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98469s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98327s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98219s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -98110s >= -30000s Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe TID: 2200 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 5744 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -10145709240540247s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -100000s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99875s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 6204 Thread sleep count: 2891 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 6204 Thread sleep count: 696 > 30 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99765s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99656s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99547s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99312s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -99094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98969s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98859s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98750s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98640s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98531s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98422s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98310s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98203s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -98094s >= -30000s Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe TID: 1276 Thread sleep time: -922337203685477s >= -30000s Jump to behavior
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Copy#51007602.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Source: C:\Users\user\AppData\Roaming\itdtn.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BaseBoard
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Source: C:\Users\user\Desktop\Copy#51007602.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\Desktop\Copy#51007602.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Source: C:\Users\user\AppData\Roaming\itdtn.exe WMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_Processor
Source: C:\Users\user\AppData\Roaming\itdtn.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT * FROM Win32_Processor
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Users\user\AppData\Roaming\itdtn.exe Last function: Thread delayed
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99891 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99782 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99657 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99532 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99313 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99188 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 99063 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98938 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98797 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98687 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98577 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98469 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98327 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98219 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 98110 Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 100000 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99875 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99765 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99656 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99547 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99422 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99312 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 99094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98969 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98859 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98750 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98640 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98531 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98422 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98310 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98203 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 98094 Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Thread delayed: delay time: 922337203685477 Jump to behavior
Source: itdtn.exe, 00000005.00000002.3232710766.000000000177A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllp
Source: itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SerialNumber0VMware|VIRTUAL|A M I|XenDselect * from Win32_ComputerSystem
Source: itdtn.exe, 00000004.00000002.2229535791.0000000003371000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: model0Microsoft|VMWare|Virtual
Source: Copy#51007602.exe, 00000002.00000002.3232678455.000000000161D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Users\user\Desktop\Copy#51007602.exe Process information queried: ProcessInformation Jump to behavior
Contains functionality for execution timing, often used to detect debuggers
Source: C:\Users\user\AppData\Roaming\itdtn.exe Code function: 5_2_06FE7D9B rdtsc 5_2_06FE7D9B
Enables debug privileges
Source: C:\Users\user\Desktop\Copy#51007602.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Process token adjusted: Debug Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory allocated: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Injects a PE file into a foreign processes
Source: C:\Users\user\Desktop\Copy#51007602.exe Memory written: C:\Users\user\Desktop\Copy#51007602.exe base: 400000 value starts with: 4D5A Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Memory written: C:\Users\user\AppData\Roaming\itdtn.exe base: 400000 value starts with: 4D5A Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Users\user\Desktop\Copy#51007602.exe Process created: C:\Users\user\Desktop\Copy#51007602.exe "C:\Users\user\Desktop\Copy#51007602.exe" Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Process created: C:\Users\user\AppData\Roaming\itdtn.exe "C:\Users\user\AppData\Roaming\itdtn.exe" Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Users\user\Desktop\Copy#51007602.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Users\user\Desktop\Copy#51007602.exe VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Users\user\AppData\Roaming\itdtn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Users\user\AppData\Roaming\itdtn.exe VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Security\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Security.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 4.2.itdtn.exe.506b9a8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.506b9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3236815937.0000000003347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3235618888.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2229535791.0000000003633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3236815937.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2235868873.0000000005056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3231826482.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3235618888.0000000003307000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 2604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 3936, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Copy#51007602.exe.50d0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.50d0000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2123443818.00000000050D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Source: C:\Users\user\Desktop\Copy#51007602.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Key opened: HKEY_CURRENT_USER\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions Jump to behavior
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\Users\user\AppData\Roaming\NETGATE Technologies\BlackHawk\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\Users\user\AppData\Roaming\8pecxstudios\Cyberfox\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\Users\user\AppData\Roaming\Mozilla\Firefox\profiles.ini Jump to behavior
Tries to harvest and steal ftp login credentials
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\FTP Navigator\Ftplist.txt Jump to behavior
Tries to steal Mail credentials (via file / registry access)
Source: C:\Users\user\Desktop\Copy#51007602.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\Desktop\Copy#51007602.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe File opened: C:\Users\user\AppData\Roaming\Thunderbird\profiles.ini Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Key opened: HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles Jump to behavior
Source: C:\Users\user\AppData\Roaming\itdtn.exe Key opened: HKEY_CURRENT_USER\Software\IncrediMail\Identities Jump to behavior
Yara detected Credential Stealer
Source: Yara match File source: 4.2.itdtn.exe.506b9a8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.506b9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000002.00000002.3235618888.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2229535791.0000000003633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3236815937.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2235868873.0000000005056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3231826482.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 2604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 3936, type: MEMORYSTR

Remote Access Functionality
barindex
Yara detected AgentTesla
Source: Yara match File source: dump.pcap, type: PCAP
Source: Yara match File source: 4.2.itdtn.exe.506b9a8.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 4.2.itdtn.exe.506b9a8.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000005.00000002.3236815937.0000000003347000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3235618888.00000000032E1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2229535791.0000000003633000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3236815937.0000000003321000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000004.00000002.2235868873.0000000005056000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000005.00000002.3231826482.000000000042F000.00000040.00000400.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.3235618888.0000000003307000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2111351064.0000000002B74000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 6008, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: Copy#51007602.exe PID: 4084, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 2604, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: itdtn.exe PID: 3936, type: MEMORYSTR
Yara detected PureLog Stealer
Source: Yara match File source: 0.2.Copy#51007602.exe.50d0000.15.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.50d0000.15.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.40111f0.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3de7dd0.6.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 0.2.Copy#51007602.exe.3bbe9a0.3.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 00000000.00000002.2123443818.00000000050D0000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000000.00000002.2114770908.0000000003991000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1448039 Sample: Copy#51007602.exe Startdate: 27/05/2024 Architecture: WINDOWS Score: 100 25 jahnindustry.shop 2->25 27 api.ipify.org 2->27 29 Snort IDS alert for network traffic 2->29 31 Found malware configuration 2->31 33 Malicious sample detected (through community Yara rule) 2->33 35 9 other signatures 2->35 7 itdtn.exe 3 2->7         started        10 Copy#51007602.exe 1 4 2->10         started        signatures3 process4 file5 37 Antivirus detection for dropped file 7->37 39 Queries sensitive network adapter information (via WMI, Win32_NetworkAdapter, often done to detect virtual machines) 7->39 41 Machine Learning detection for dropped file 7->41 13 itdtn.exe 14 2 7->13         started        19 C:\Users\user\AppData\Roaming\itdtn.exe, PE32 10->19 dropped 43 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 10->43 45 Drops large PE files 10->45 47 Injects a PE file into a foreign processes 10->47 16 Copy#51007602.exe 15 2 10->16         started        signatures6 process7 dnsIp8 49 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 13->49 51 Tries to steal Mail credentials (via file / registry access) 13->51 53 Tries to harvest and steal ftp login credentials 13->53 55 Tries to harvest and steal browser information (history, passwords, etc) 13->55 21 jahnindustry.shop 66.29.151.236, 49705, 49715, 587 ADVANTAGECOMUS United States 16->21 23 api.ipify.org 104.26.13.205, 443, 49704, 49714 CLOUDFLARENETUS United States 16->23 signatures9
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
66.29.151.236
 jahnindustry.shop United States
19538 ADVANTAGECOMUS true
104.26.13.205
 api.ipify.org United States
13335 CLOUDFLARENETUS false

Contacted Domains

Name IP Active
jahnindustry.shop 66.29.151.236 true
api.ipify.org 104.26.13.205 true

Contacted URLs

Name Malicious Antivirus Detection Reputation
https://api.ipify.org/ false
  • URL Reputation: safe
  • URL Reputation: safe
 unknown